Roaming Profiles. Won't load profile to server when permissions changed by admin.

[Michael Love]

This may be a fault of Blaster fix and if you have heard this all
before, don't be annoyed. I have tried searching!

Roaming profiles on a seperate server. Administrator comes along and
takes ownership of profile, changes permissions to everyone and
domain\administrator Full Control. Did this to look into the users
profiles.

When user tries to log on to Citrix user gets unable to load roaming
profile, using temporary. A TEMP profile is then loaded on the term
server.

I used to be able to do this with no problems whatsoever, it seems to
be only lately and possibly only to newer users. Other users have no
such problems.

I know it is a permissions thing in Docs and settings, I read
somewhere that the permissions were changed by the blaster fix.
Permissions on the term server docs and settings is:

Server admin Full
System Full
Domain Users R&X
Can't remember the 4th but it's R&X also.

Is there any way to fix this without having to turn local logon On and
get the PW for each user that is affected, logon as them and change
the permissions?
I need to look into their profiles in the future anyway.


Does this have anything to do with the usrclass.dat problem which
Q827825 and Q8xx153 deals with?

Thank you.

 

[Sergey Kuzin [MS]]

Michael,
The only thing I can think of is that you accidentally deleted user's WRITE
permission to his roaming profile directory.
Normally each user would have Full Control to his profile sub-tree and to
the share though which the profile is accessed.
Log on as one of the users in question and try to access the share and files
and folders in the user's profile. See if you can create new files and
folders under the profile's root folder.

You don't have to log on as each user to fix the premissions. Having
administrative privileges should be enough to grant any user access to any
folder or share.

Thx,
Sergey.

 

[Michael Love]

Thx Sergey but I gave full control writes to everyone in the roaming
profile.

Someone on the Citrix forum told me to logon to the roaming profile
server as a user(having granted local admin rights to everyone) and
take ownership of the profile and all it's folders etc.
I then added the user back into the NTFS security perm's with Full
Control and left the domain admin in there Full Control also. I
removed Everyone from the permissions.
Now the user can logon to Citrix again with no problems and I as
Domain admin can look at the profile still.

It looks like an ownership problem but I do not know how to correct
this for all users, especially as I do not know all their passwords! I
may have to take ownership of the profile as the user that logs on(by
getting their passwords) and take ownership of each individual users
profile as that user!

Does the SYSTEM user on the term server(Full Control)look at the owner
of the profile and the user logging in and only allow the roaming
profile to copy over to the term server if the two have the same SID?